The Onion Decoys are implemented with Docker containers as honeypots. The reason to choose Docker is that it is good at process and filesystem isolation, which ultimately gives the ability to run more services on the same box instead of having to deal with resource intensive virtual machines. Also, Docker containers can easily be made very clean, containing no identifying data and having uptimes that are different from the host they’re running in, which makes it difficult to get identified from outside.

The Docker containers are composed with two popular open source honeypots viz. Glastopf for HTTP and Cowrie for SSH & Telnet. The honeypot containers expose three ports viz. port 80 (HTTP), port 22 (SSH) and port 23 (Telnet). Each honeypot container is linked with a separate HS container which together creates the Onion Decoy having a unique onion address. The onion addresses are randomly generated and are not announced publicly anywhere.

# run a container with a network application
$ docker run -d -p 80:80 --name hello_world_container kitematic/hello-world-nginx
# and just link it to this container
$ docker run -tid --link hello_world_container --name hello_world_torrified_container iotdocktor/container-torrify

The .onion URLs will be displayed to stdout at startup.

To keep onion keys, or you already have Hostname/PrivateKey for Tor Hidden Service just mount volume /var/lib/tor/hidden_service/